W64_SHRUGGLE.A is the second malware discovered that infects 64-bit Windows Portable Executable (PE) files. The first such virus, W64_RUGRAT.A, and this virus are believed to be created by the same author, who calls himself roy g biv. While W64_RUGRAT.A infected 64-bit files running on IA64 (Intel Itanium) processors, this virus is intended to infect PE files running on AMD 64-bit systems. Both of these 64-bit viruses are considered proof-of-concept viruses, meaning the author is probably trying to prove that new systems are susceptible to virus attacks. W64_SHRUGGLE.A is currently spreading in-the-wild, and infecting Windows 64-bit systems.

Upon execution, this virus searches for target files in the current folder and subfolders. It then infects every 64-bit file (AMD64 only) that it finds. It then passes this file through some filtering criteria, appends its code to the last section of the host file, and then modifies the section as executable. Garbage data may be appended at the end of the virus code to further avoid detection.

This virus does not infect 32-bit files and does not run in 32-bit processors without software to support AMD64-bit programs. All infected files contain the following signature string: "Shrug - roy g biv".

If you would like to scan your computer for W64_SHRUGGLE.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

W64_SHRUGGLE.A is detected and cleaned by Trend Micro pattern file 2.163.06 and above.